Valimail Enforce - Unusual Rate of Configuration Changes or User Additions
| Id | 3cbb78d9-81ac-42c9-b3cd-7e6baea7d9ff |
| Rulename | Valimail Enforce - Unusual Rate of Configuration Changes or User Additions |
| Description | This query searches for a single user performing more than 3 configuration changes or user additions within a 1-hour window on any domain. An unusual burst of changes may indicate a compromised admin account, unauthorized automation, or insider threat. |
| Severity | Medium |
| Tactics | Impact DefenseEvasion PrivilegeEscalation |
| Techniques | T1562 T1531 T1078 |
| Required data connectors | ValimailEnforce |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UnusualChangeRate.yaml |
| Version | 1.0.0 |
| Arm template | 3cbb78d9-81ac-42c9-b3cd-7e6baea7d9ff.json |
let threshold = 3;
let timeWindow = 1h;
ValimailEnforceEvents_CL
| where EventCategory in (
"DMARCPolicy",
"SPFConfiguration",
"DKIMConfiguration",
"DomainManagement",
"UserManagement"
)
| summarize
ChangeCount = count(),
HighValueCount = countif(IsHighValueEvent == true),
Domains = make_set(Subject),
DomainCount = dcount(Subject),
Actions = make_set(EventType),
Categories = make_set(EventCategory),
FirstSeen = min(PerformedAt),
LastSeen = max(PerformedAt)
by User, bin(PerformedAt, timeWindow)
| where ChangeCount > threshold
| extend
AccountName = tostring(split(User, "@")[0]),
AccountDomain = tostring(split(User, "@")[1]),
DomainName = tostring(Domains[0]),
ChangesPerMin = round(todouble(ChangeCount) / 60.0, 2)
relevantTechniques:
- T1562
- T1531
- T1078
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: AccountDomain
identifier: UPNSuffix
- entityType: DNS
fieldMappings:
- columnName: DomainName
identifier: DomainName
version: 1.0.0
id: 3cbb78d9-81ac-42c9-b3cd-7e6baea7d9ff
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
This query searches for a single user performing more than 3 configuration changes or user
additions within a 1-hour window on any domain. An unusual burst of changes may
indicate a compromised admin account, unauthorized automation, or insider threat.
requiredDataConnectors:
- connectorId: ValimailEnforce
dataTypes:
- ValimailEnforceEvents_CL
triggerOperator: gt
name: Valimail Enforce - Unusual Rate of Configuration Changes or User Additions
tactics:
- Impact
- DefenseEvasion
- PrivilegeEscalation
alertDetailsOverride:
alertDescriptionFormat: |
User '{{User}}' made {{ChangeCount}} configuration changes across {{DomainCount}} domain(s) within one hour.
alertDisplayNameFormat: Unusual change rate by {{User}}, {{ChangeCount}} changes in 1h across {{DomainCount}} domain(s)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UnusualChangeRate.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
let threshold = 3;
let timeWindow = 1h;
ValimailEnforceEvents_CL
| where EventCategory in (
"DMARCPolicy",
"SPFConfiguration",
"DKIMConfiguration",
"DomainManagement",
"UserManagement"
)
| summarize
ChangeCount = count(),
HighValueCount = countif(IsHighValueEvent == true),
Domains = make_set(Subject),
DomainCount = dcount(Subject),
Actions = make_set(EventType),
Categories = make_set(EventCategory),
FirstSeen = min(PerformedAt),
LastSeen = max(PerformedAt)
by User, bin(PerformedAt, timeWindow)
| where ChangeCount > threshold
| extend
AccountName = tostring(split(User, "@")[0]),
AccountDomain = tostring(split(User, "@")[1]),
DomainName = tostring(Domains[0]),
ChangesPerMin = round(todouble(ChangeCount) / 60.0, 2)
status: Available
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: Selected
groupByEntities:
- Account
reopenClosedIncident: false
enabled: true
lookbackDuration: 1d